Archives

Categories

Meta

Introduction

We have recently got a new use case for the netscaler redirection. The aim was to redirect the request and at the same time passing the original request from netscaler to the backend servers. I searched a lot and could not find very clear instructions and so thought of writing one myself.

So in this step-by-step guide, the end users will be calling http://netscaler-ip/test/index.html and they will be redirected to the backend servers at http://backend-server/dump/index.html. Besides this the backend server would also be passed the original URL which the end user is calling. In our case this is http://netscaler-ip/test/index.html. Please note that normally the backend servers will not get the url called by end-users but instead the url which is being called by netscaler.

Step-by-step

Assuming the server, services, Virtual Server and Content Switching Virtual server(if required) is already configured. So you are able to call the http://backend-server/test/index.html by calling http://netscaler-ip/test/index.html

So the first step is to configure the redirection policy.

Netscaler policies

Create a redirection policy as shown below :

redirection policy

Also create the corresponding rewrite action :

Here in the above rewrite action, we wanted to replace “test” with the “dump” in the URL. The last part is to attach this policy to our virtual server. So now whenever the http://netscaler-ip/test/index.html will be called, it will be redirected to http://backend-server/dump/index.html.

However this only achieves 50% of our goal. So if we would check the apache logfiles in the backend server, it will look as follow :

So in the apache logfiles, one can only see the URL which the netscaler is calling but not the original URL which the end user has called.

In order to achieve the rest half of the goal, I created another policy as shown below :

Important is the corresponding action for this policy and as the name suggest, here we are doing insert header :

As you can see in the above snip, the type is INSERT_HTTP_HEADER and HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY is used to create the original URL. Also do not foget to check the “Bypass safety check” option.

In the end, you have to attach this policy as well to the virtual server. But make suer that the policy inserting header with original request has a lower priority so that it gets executed before the redirection actually happens.

Now it is time to test again and you can see that the original URL can be seen in the apache logs.

One open question is if this goal can be achieved without bypassing safety check in rewrite action for the insert header option.

Since few days, I have been trying to set up F5 BIG IP lab at home to practise for the F5 BIG IP LTM specialist exam 301a. Yes, you guessed it right, I have already completed my F5 BIG IP 101 and 201 by referencing some books, study guide at F5 website and some practical exposure from my office.

But, now I think it is a good idea to set up a lab at home which I can switch on/off anytime and twist the settings. So here is how my journey begins with setting up of lab at home.

I started with my so-called new HP laptop(7 years old) and damn, it is 32 bit. F5 Big IP needs 64 bit OS. So either I should buy a new one or look out for the alternatives. I then tested couple of more laptops including one from my office and all were 32bit.

I then thought of buying a lab in cloud or practicing using AWS. Though the rates looks really cheap like 0.4$ per minutes but most liekly buying a new laptop would be cheaper and a better investment.

So I finally got a new high end acer v15 laptop with windows 10 64 Bit and 16GB RAM. Fully excited, I downloaded the trial version from F5 site and imported in oracle Virtual box. Only for your information, oracle virtual box is also an open source free software.

The F5 version which I downloaded is 11.3 and my oracle virtual box version is 5.1.

There was no error while importing the F5 BIG IP ovf file but when starting this machine, it would simply hangs on “GRUB Loading stage2..”.

After doing some research on google, I found the post where the solution is mentioned as activating the com port. I did that and it worked. So fianlly I can boot my F5 BIG IP virtual device and can access it from webinterface and from command line.

Now in order to complete the lab, I looked for a very lightwieght distro where I can run my web servers. I found damnsmall linux box as one of the best option. The image is just about 50Mb and takes less than a minute to boot. It has monkey webserver in it. So for the initial lab, you really do not need to do anything more.

Stop searching for book on the internet. I tried a lot but could not find one single book which covers all the topics of 201 exam.

Refer the F5 BIG IP 201 – study guide for preparation. Do not forget to go through the links given in this guide. This is the only and main material which covers most of the part of this exam.

Videos at CBT nuggets can help to speed up your learning the F5 LTM product. But just watching the videos and doing tutorial in the lab may not be sufficient to pass this exam.

Do you know what is BIG-IQ ? If not, read it. There were 2-3 questions on it. Do not leave any topic assuming it to be not important.

Get used to seeing the network map screen, nodes, pool or pool member screen. There are several questions with the snapshot taken from these screen.

Understand the status symbols and when will the node/pool member etc will get the traffic or not.

Try the backup and restore command multiple times via the command line so that you know the syntax.

About 3-4 questions were based on priority and ratio in virtual servers. So it is important to understand the division of load with priority and ration set.

Few questions will have log files snippets. Fortunately the information in the logfiles snippets are not difficult to interpret. The options given in such questions are very easy. So it is quite simple to get to the right answer.

Read about the priority and what you will be providing to the F5 support. For example, if you are suspecting some hardware failure, you would give the F5 EUD log files. If you created a new virtual server and it is not passing the traffic, this should be opened as priority 3 incident case with the F5 BIG IP. I hope this will give hint as what kind of questions to expect 😉

There are good number of questions on HA sync issue or software updates.

Which port is required to fetch the logs from the mgmt GUI by the admin ?? Oops such tricky questions may appear where you have to use logic at that moment only.

Tick tick tick….watch out the time. You may run out of it. There are some questions with story in it and many questions with the screenshots. Such question can eat your time. If you stuck, move ahead.

I hope the above tips and tricks may help. Unlike F5 101 exam, in the 201 exam, it is quite simple to rule out the wrong options. So if you can get to the right answer by just reading the question, try removing the worng answer.

All the very best for the exam and would love to hear the feedback from you 🙂

order of virtual servers
port used for GUI
priority and ration based algorithm
where does system error files get saved.
when to provide EUD.

Update 27Feb 2017 : Below are the tips from NG. Thanks NG for sharing

there are total two guides – StudyGuide_201_TMOS_OfficialF5 and Certification_Study_Guide_201_v2

go through all links in both guides. which are mostly Ask5 and some Devcentral… they have very good information from both exam and knowledge point of view

hands-on practice is very helpful

questions on VS selection with order of preference

Pool member status, which pool member will be selected..timeout,2-3 IQ questions,Analytics,Cookie persistence…VS types,monitors and their settings,load balancing…

keep watch on time and if question is more descriptive then mark and go to next question and do this in last

Update 20 May 2017 : Below tips are shared by Ed. Thanks a lot for sharing as I am sure it would be helpful for other.

– Get used to reading the configurations in text mode as well, some question will show you a fragment of the config (in text) and ask based on that
– Make sure to understand the difference between status of a node and pool member. For example what happens if pool member reports status OK and node monitor down. Practice all the possible combinations in your own lab
– if a fan speed is slow where the log is reported? /var/log/messages is not an option 🙂
– Watch the BIG-IQ video on F5 University (under v11 Overview Modules > Getting Started with F5 Products). It will give you a great summary of what you need for the exam in less than 30 minutes
– Understand user roles and what permissions have each of these.
– make sure to understand when to use troubleshooting tools such as ping, netstat, curl, etc. sounds simple, but in some questions you might thing in two possible answers, you need to thing the BEST.
– tcpdump, they will describe scenarios and you need to understand where is the best interface/vlan to run this tool
– Assuming there is a UCS locally stored, from what directories the bigip.conf can be pulled (Think of two options)
– Test and read port lockdown and how to give admin access to a self IP
– Get used to common default settings. Some questions say “assuming default settings…”
– Study Guide is not enough… Go through the links and have additional reading.
– few questions (for not saying none) of iRules and SSL Profiles, actually these are not part of the blue print
– Good number of questions of clustering (SYNC, configuration groups, etc) make sure to read “Managing Configuration Synchronization” in the clustering guide https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-admin-11-4-0.html
– All the topics for the exam are on the Study guide, do not spend time searching for exam dumps or additional non-F5 material

Update 24 July 2017 : Below tips are shared by Ramesh :

If you have F5 Partner account, then please go through all the LTM video trainings, practice Vlab, study all Veritable Networks links.

Practice in Vlab( how to create user account in cli, curl command, tcpdump, nslookup, dig, how to analyze network map, dashboard gauge statistics output?, how to generate qkview file in cli, how to upload and save ucs files).

Here I come up with one another section of tips and tricks to pass the F5 BIG IP 101 Exam (Application delivery fundamentals) based on my own experience and the blogs I read on the internet :

Most of the paper of 101 is based on networking fundamentals and is not easy like other vendors networking exam.

One really need to understand the TCP/IP concepts. I remember one of the question from my exam asking the first packet number in TCP connection or how the source MAC address will be changed when packets transfers from point A to point B.

Questions are story based where you are provided with a scenario and then you have to answer it.

Exibit where u had ( client ->proxy->LB->server ) and question was Why LB is there?? ( and answer was “because its closest to server” , “because it can forward traffic” and 2 more answers which i dont remeber .

AAA what for the 3rd A is standing for .

Admin have site example.com under address 192.12.13.14 and there is need to implement same site under new IP X X X X but first what you need to do is test it if its working . What will you do : change something in DNS server , change local file on server +3 more answers .

Flow of osi when sender – when client A is sending packet to B how it will look on OSI – layer from1 to 7 or from 7 to 1 .

There was one question about TCP dump output something like that :

172.23.12.11 > 10.1.2.3

10.1.2.3 >172.23.12.11

who will reply next ( but note that there were flags etc i dont remember now ). So in short, you should be able to read TCP dump output

how was the tcp sequence number generated?
* what is the initial tcp sack in tcp 3 way handshake?
* SSL offloading advantages?
* persistence methods? (5 questions)
* in which scenario does full proxy tcp connection required? (5 questions)

Here are some of the tips and trick to clear the CCP-N exam based on my and my colleagues experience :

Download the study guide from citrix website and also download the complete citrix netscalar documentation. I prefer to download it as pdf which will be preety fat of 5000 pages but then you can read it anytime and anywhere. All the questions would be coming from this big PDF and good thing is you can skip lots of topics.

On citrix website, you can also enroll for some free course which will be good if it is your first day with citrix.

If you already have access to citrix netscalar lab in your office, that is good. If not, then simply download the citrix netscalar VPX with 3 months free license and install it on your vmware or ESX. Hands-on is must. You will not be able to clear the exam without some hands-on. You only need a vmware player and a 64 bit laptop.

By reading the documentation, you would be able to do most of the lab exercise without anyone’s assistance but still if you need help, check out at you tube or cbt-nuggets has a very cool start up course in netscalar.

Do not use the brain dumps which many websites offer. The basic idea of taking exam will be lost and I heard that no question actually appears from these brain dumps.

Most of the questions in exam would be simple. You will be easily able to eliminate the wrong options to reach the right answer.

The time would be more than sufficient in exam.

Most of the questions would be direct without a confusing story in the back ground.

Only about 4-5 questions on CLI commands.

All the very best for your exam and if you are still scared….remember, you can reach the right answer by eliminating the wrong options 🙂

I would love to hear the feedback from you and if you have any new tips for this exam 🙂